A method for electronic voting with Coercionfree receipt

1
A method for electronic voting with Coercion-free
receipt

• David J. Reynolds
• (unaffiliated)

2
The central problem

• How to get a DRE to properly encrypt a vote?
• How to ensure encrypted votes are properly
  tallied?

3
Some Stricter Requirements

• End-to-end verifiable
• No trust for integrity
• Election authorities preserve
  privacy only
• containment is distributed
• No one authority can expose a vote
• no trusted computational devices
• ? Voter participates critically in
  verification

4
Expose fraud-in-collection using

• Chaum (optical) ---
• Neff ---
• This system ---

Human optical skills
Temporal sequence
Temporal sequence
5
How it works

• Analogy
• Model DRE Collector
• Collector has
• invisible-ink pen public key
• invisible-ink writing public-key
  encrypted
• Tallier has magic-marker
• magic-marker private key

6

• Meet with Collector
• Collector writes your vote using invisible-ink
  pen you cant read invisible ink
• You can write in ordinary-ink, must not reveal
  vote
• Bring your vote to bulletin-board
• Tallier (privately) uses magic-marker to read
  invisible ink on your vote
• Can the Tallier detect fraud by collector?

YES!!!
7
(convention)

Represents 625 in invisible ink ( encrypted in
public key)
Represents 625 in ordinary ink ( plaintext)
8
Filled ballot (preview)
9
Terminology

• On voted for
• Off not voted for
• L options
• The vote is the on-option
• The others are the off-options
• (K of L voting K on-options, L-K off-options)

10
Polling process
Voter announces votegreen
Verification Phase 1 voter fills external
verification values for off-options
Collector commit

• collector enters vote

• copies external v.-values for off-options to
  internal

• Writes randomly-chosen internal v.-value for
  on-option

Verification Phase 2 voter fills external
verification value for on-option
11
Verification process
Tallier checks that internal verification values
equal external verification values for off-options

• Verification
• condition

Thats the method!!
12
The heart of the method
MUST MEET TWO CRITERIA

• During verification/tallying, a condition is
  checked for each off-option (of the vote as
  encrypted)
• The Collector can not satisfy this condition for
  the on-option (of the true vote)
• (P_success 1/1000)
• Thats all we need!!

13

• Fraud ? on-option of true vote off-option of
  vote-as-encrypted

• a condition is checked for each off-option.
• The Collector can not satisfy this condition for
  the on-option (of the true vote)

a) is ensured by the tallying/verification
arrangement
b) is ensured by the polling sequence and voter
vigilance
14
Important feature

• Voter just needs to
• Ensure that the temporal sequence is OK (commit
  phase occurs before voter enters v.value for
  on-option)
• That the v.value for on-option is as voter
  specified

Voter does not need to check verification-values
for off-options
(Neffs method has this feature too)
15
DRE Coercion-properties

• Use identical UI and front-end receipting system
  to Neffs
• Requires printer with minimally-modified housing
  (commit must be seen to be made, but not
  readable)
• Fully coercion-free. Voter has full control over
  receipt outcome, regardless of vote.

16
Tallying methods

• Re-encryption mix-net
• Chaumian mix-net
• Without mix-net (with homomorphic encryption)
• ? Complexity linear in L
• (Independent of K)

17
Notation
Layout in Analogy
True DRE receipt
Receipt is substantially
,
ID,
18
Homomorphic Tallying
Encrypting the vote

Encrypt vote as an L-tuple (unitary)
.
19
Homomorphic tallying
Proving the vote
a. Verification condition
DRE proves for each k in 1..L in Zero-knowledge
OR
b. Proving the vote 1-valued
(long known method for unitary approach)
DRE proves for each k
OR
To prove 1-of-L (not double-voted on issues)
Prove that the product of all encrypts 1
? simply reveal the randomizer of the product
This proving-1-valued is linear in L
20
Homomorphic tallying

• Counting the vote
• Trivially linear because of encrypting as
  L-tuple all of the votes on options are
  encrypted separately
• ? Take the product of encrypted votes on
  each option
• (through votes of all voters) and
  Talliers
• decrypt result total number of
  votes on that option

21
Adapting other methods to achieve homomorphic
tallying, linear in L

• Assume DRE has already verifiably encrypted the
  vote
• Assume we can construct reasonable ZKPs of above
  form
• DRE encrypts vote again as L-tuple (unitary)
  as specified
• Prove that the in the linear fashion shown above
• DRE proves that encrypts same vote as
• provides ZKP for each option k of
  the vote that

OR
22
Re-encryption Mix-net Tallying
Encrypting the vote

.
Just need re-encrypt property
23
Re-encrypt. mix-net tallying
Proving the vote
a. Verification condition
DRE proves for each k in 1..L in Zero-knowledge
OR
Can now go into mix-net
24
Re-encryption mix-variant

• Leverage assumed homomorphic property to
  subtract external from internal verifiers while
  they remain encrypted
• Results must travel with vote in mix-net
• Spares ZKPs from DRE, adds complexity to mix-net
• May be possible to reduce complexity by packing
  more than one number into 1 (familiar techniques)
• (d_overall d_1 1000 d_2
  1000.1000 d_3)

25
Chaumian Mix-net Tallying

Encrypting the vote
Input-batch element
Output-batch element
Verification condition (on output element)
26
DRE-Calculating ahead

• DRE can keep cache of calculations
• Assume voter often takes default
  verification-values for off-options
• ZKPs only need be calculated for on-option while
  voter waits
• Re-fill cache in separate thread

27
Conclusions

• Coercion-free verifiable system, very good
  security properties (p_detection1/M )
• Tally with re-encryption/Chaumian mix-net or
  homomorphic encryption
• Homomorphic tallying linear in L

28
More material

• Search for Reynolds on iacrs eprint website
• www.iacr.org
• (Should be accepted soon!)